Virtual Private Networks (VPNs) are increasing in popularity as the Internet continues to change the face of our society. A VPN is a private data network that offers a point-to-point connection for data traffic between a client and server or multiple servers. The private data network is established over a shared or public network, such as the Internet, with the aid of a special form of encryption and/or some other security technology, such as encrypting not only the data but also the originating and receiving network addresses. The VPN connection across the Internet, for example, logically operates as a Wide Area Network (WAN) link between the dislocated sites, with data being exchanged between peers in secret. The secret connection is known as a VPN tunnel. A “tunnel” is an intermediary program, which is acting as a blind relay between two connections. The tunnel can be formed as defined by any number of protocols, including the Internet Security Protocol or IPSec, the Point-to-Point Tunneling Protocol or PPTP, and the Layer 2 Tunneling Protocol (L2TP).
An example of a VPN-enabled voice communication will now be discussed with reference to FIG. 1. FIG. 1 depicts an enterprise network 100 having a number of dislocated network segments 104, 108, and 112. The network segment 108 is the primary enterprise network segment or site and includes, along with the other (secondary) enterprise segments 104 and 112, a security gateway 116, trusted Local Area Network (LAN) 120, and communication device(s) 124. Additionally, the segment 108 includes an authentication server 128 and switch/server 132. The various enterprise network segments 104, 108, and 112 are in communication with one another and with an external remote communication device 136 via an untrusted (WAN) network 140, such as the Internet. The secure communication device 136 includes a processor 144 and memory 148. The memory 148 includes a Voice over Internet Protocol or VoIP application 152 and an IPSec stack 156 to enable secure communications. As will be appreciated, VoIP is an application used to transmit voice conversations over a data network using the Internet Protocol. Examples of such data networks include the Internet and corporate intranets.
To make a voice call between the secure communication device 136 and a communication device 124 in the enterprise network segments 104 or 112 or between communication devices 124 in the enterprise network segments 104 and 112, the call control signaling and voice data are both routed through the primary enterprise segment 108. More specifically, a persistent secure tunnel 160 is established between the secure communication device and security gateway 116 of the primary enterprise segment 108, tunnel 164 between the security gateway 116 in the enterprise segment 104 and the security gateway 116 in the primary enterprise segment, and tunnel 168 between the security gateway 116 in the enterprise segment 104 and the security gateway 116 in the primary enterprise segment. Call control signaling and voice data are transmitted over these tunnels.
To illustrate the operation of VPN-enabled voice communications, assume a voice call between secure communication device 136 and a communication device 124 in the enterprise network segment 104. The voice data is encrypted by IPSec stack 156 and transmitted over tunnel 160 to the security gateway 116 in the primary enterprise segment, where it is decrypted. The security gateway, noting the destination for the voice data, re-encrypts the voice data and relays it over the tunnel 164 to the security gateway 116 in the segment 104. That security gateway decrypts the voice data and provides it to the communication device 124 over trusted LAN 120.
As can be seen, there is no tunnel directly between the secure communication device 136 and enterprise segments 104 or 112 or between the enterprise segments 104 and 112. This can create problems. The need to redirect the packets over multiple communication paths can cause higher levels of voice data packet latency, loss, and jitter, which can degrade substantially voice communication quality. The redirection of all voice packet traffic through a central location can cause decreased levels of robustness in the VPN architecture. If the primary enterprise site 108 becomes unavailable for any reason, such as the failure of a link or component (e.g., the security gateway 116), the VPN is effectively disabled.
Solutions to the central point of failure problem have been developed in other non-voice applications. For example, VPN remote for Windows 2000XP™ by Avaya, Inc., overcomes the problem by creating point-to-point tunnels between secondary enterprise network segments. This is effected by providing to the security gateways, in each of the secondary enterprise network segments, VPN topology and configuration information. The VPN topology information includes the range of IP addresses serviced by each security gateway and the IP address of the servicing gateway. Using this information, the various gateways can establish point-to-point tunnels that do not include the security gateway at the primary enterprise site and directly exchange data payload packets over the tunnels.
There is a need to provide point-to-point tunnels between security gateways and secure communication devices to enable voice communications in a VPN architecture.